1 / 19

CAPSL Integrated Protocol Environment

CAPSL Integrated Protocol Environment. Jon Millen (PI) Grit Denker SRI International January, 2000. DARPA Project: TIPE. The Integrated Protocol Environment Started August 1998 Technology: cryptographic protocol security analysis/design

dalila
Télécharger la présentation

CAPSL Integrated Protocol Environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CAPSLIntegrated Protocol Environment Jon Millen (PI) Grit Denker SRI International January, 2000

  2. DARPA Project: TIPE • The Integrated Protocol Environment • Started August 1998 • Technology: cryptographic protocol security analysis/design • Approach: formal specification language usable with any analysis tool - CAPSL • Product: an integrated environment to use CAPSL with analysis tools, especially PVS and Maude

  3. Cryptographic Protocols • For key distribution or authentication • Examples • SSL - in browsers • IKE - IPsec key exchange • SET - secure electronic transactions • Kerberos - remote unitary login • KEA - used with Clipper, Skipjack • New ones are continually proposed

  4. Protocol Flaw Analysis • Concern: active attacks • masquerading, replay, man-in-middle, etc. • Actual and theoretical examples • IP spoofing, published protocols/attacks • Protocol flaws rather than cryptosystem weaknesses • Countermeasure: formal design analysis • Abstract encryption model, formal specification • Inductive proofs, state-space search, authentication logics • Analysis can find flaws, suggest improvements, prove conditional correctness

  5. TIPE/CAPSL Concept Cryptographic Protocols Modern, precise, easy-to-use specification language CAPSL The basis for Internet Security Translation (CAPSL Intermediate Language: term rewriting) CIL Custom “connectors” Enables the coordinated application of multiple tools Others Trace models Strand spaces SRI SRI NRL PVS Inductive proofs Maude Model-checker Protocol Analyzer

  6. CAPSL • Common Authentication Protocol Specification Language • High-level message-list based language with abstract encryption operators (article style: A -> B: {A}K) • Declarations: • strong typing and abstract data type extensions • initialization, named expressions • security goals • Actions between messages: tests, assignments

  7. CAPSL Style Example PROTOCOL Short; IMPORTS ClientServer; VARIABLES A,S: PKUser; N: Nonce, FRESH, CRYPTO; ASSUMPTIONS HOLDS A: S; MESSAGES A -> S: A,{A,N}SK(A); S -> A: {S,N}PK(A); GOALS SECRET N: A, S; END; Variables have types and properties Key functions are imported Spec includes assumptions and security goals

  8. CIL • Semantics: multiset term-rewriting (MSR) • Mitchell, CAV’98 and Durgin, et al CSFW-12 • Basic state-transition model for protocols • Pattern-matching style suits most analyzers • Example: • CIL output includes declarations, axioms, goals, and environmental assumptions • A -> B: A, N; • A0(A,B)  ( N) A1(A,B), M(A,B,A) • rule(facts(state(roleA,0,terms(A,B))), ids(N), • facts(state(roleA,1,terms(A,B)), msg(A,B,A))) CAPSL MSR CIL

  9. CAPSL to CIL Translation • Parser/Type-checker: Java • Checks syntax and type consistency • Rule generator: Maude (Java soon) • Checks implementability • Optimizer: Java • Combines transitions of one agent, multiple messages/actions • Typically 50% reduction

  10. Rule Optimization A -> B: A; B -> A: B; A1(A,B) -> A2(A,B),M(A,B,A) B1(B),M(X,B,A) -> B2(B,A) B2(B,A) -> B3(B,A),M(B,A,B) A2(B),M(X,A,B) -> A4(A,B) A1(A,B) -> A2(A,B),M(A,B,A) B1(B),M(X,B,A) -> B3(B,A),M(B,A,B) A2(B),M(X,A,B) -> A4(A,B) Optimizations must be attack-preserving

  11. Our Protocol Analysis Tools • PVS for inductive verification • SRI verification environment • Supports abstract data types and fixpoint induction • Used with a modification of Paulson’s approach • Maude for model checking • Executable specifications based on Rewriting Logic • High performance rewrite engine (800K/sec) • Supports typed variables and reflection • Denker, et al paper at FMSP ‘98 • Related work under DARPA Active Nets program

  12. Inductive Proofs with PVS • Paulson-style trace model, also new state-based model to match CIL • Security property is an invariant, proved inductively • Support structure • Standard axiomatic “theories” for messages, fields, and attacker operations • Each protocol is a recursive function • PVS “strategies” to automate proof • cil2pvs connector

  13. CIL to PVS rule(facts(state(roleA,3,terms(A,B))), ids(N), facts(state(roleA,4,terms(A,B,N)), msg(A,B,terms(A,se(SK(B),N))))) cil2pvs rule(F,L,H): bool = EXISTS(A, B, N): unused(H, N) AND member(state(roleA,3,A++B),H) AND F = state(roleA,4,A++B++N) AND L = (: msg(A,B,A++Enc(SK(B),N)) :)

  14. Model Checking with Maude • Support structure: data types, attacker model, nonce generation, search strategy, goal definition • Protocol is a set of term rewriting rules • Some examples (e.g., Needham-Schroeder Public-Key, Dolev-Yao ping-pong example) • cil2maude connector in process

  15. CIL to Maude rule(facts(state(roleA,3,A,B)), ids(N), facts(state(roleA,4,A,B,N), msg(A,B,terms(A,se(SK(B),N))))) rule(facts(state(roleA,3,terms(A,B))), ids(N), facts(state(roleA,4,terms(A,B,N)), msg(A,B,terms(A,se(SK(B),N))))) cil2maude rl [msg3] : facts(state(roleA,3,terms(A,B)), H) => facts(state(roleA,4,terms(A,B, mkNonce(H))), msg(A,B,terms(A,se(SK(B), mkNonce(H))), H) .

  16. Web Site

  17. Web Site - What’s On It • HTML version of CAPSL specification report • Protocol examples in CAPSL • Grammar for CAPSL syntax • Downloadable preliminary translator • Parser applet • Papers, reports (postscript) • Design discussion notes • URL: http://www.csl.sri.com/~millen/capsl

  18. Papers, Reports • DISCEX paper • SP ‘00 paper: Protocol-Independent Secrecy • FMSP’99 paper: CAPSL Intermediate Language • FMSP’99 paper: A Necessarily Parallel Attack • SRI-CSL-99-2: CAPSL and CIL Language Design • ASSET’99: CAPSL Interface for the NRL Protocol Analyzer

  19. Future Research • Group management protocols and policies • Connectors to other tools, e.g., Athena • Integration with authentication logics • CAPSL support for other syntactic analysis • Special security policies (denial of service, etc.) • Significant examples; data abstraction • Prototype generation

More Related